![]() ![]() A partial path traversal vulnerability exists in Graylog's `Support Bundle` feature. Users unable to upgrade should either configure firewall rules to define the list of permitted destinations or to configure WireMock to use IP addresses instead of the domain names.ĬVE-2023-41044 Graylog is a free and open log management platform. This issue has been addressed in version 2.35.1 of wiremock-jre8 and wiremock-jre8-standalone, version 3.0.3 of wiremock and wiremock-standalone, version 2.6.1 of the python version of wiremock, and versions 2.35.1-1 and 3.0.3-1 of the wiremock/wiremock Docker container. Control over a DNS service is required to exploit this attack, so it has high execution complexity and limited impact. The root cause of the attack is a defect in the logic which allows for a race condition triggered by a DNS server whose address expires in between the initial validation and the outbound network request that might go to a domain that was supposed to be prohibited. A similar patch was applied in WireMock 3.0.0-beta-15 for the WireMock Webhook Extensions. These restrictions can be configured using the domain names, and in such a case the configuration is vulnerable to the DNS rebinding attacks. ![]() The proxy mode of WireMock, can be protected by the network restrictions configuration, as documented in Preventing proxying to and recording from specific target addresses. CVE-2023-41329 WireMock is a tool for mocking HTTP services.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |